b'U. S. Department of the Interior\nOffice of Inspector General\n\n\n                                   Audit Report\n                 IMPROVEMENTS MADE\n           IN GENERAL CONTROLS O VER\n      AUTOMATED INFORMATION SYSTEMS\n\n                     OFFICE OF SURFACE MINING\n                RECLAMATION AND ENFORCEMENT\n\n\n\n\nPicture courtesy of OSM\n\n\n\n\n                                   Report No. 01-I-415\n                                      September 2001\n\x0cU.S. Department o the Interior                                  Office of Inspector General\n\n                         EXECUTIVE SUMMARY\n                   Improvements Made in General Controls\n                    Over Automated Information Systems,\n           Office of Surface Mining Reclamation and Enforcement\n                             Report No. 01-I-415\n                              September 2001\n                                 The Office of Surface Mining Reclamation and\nBACKGROUND\n                                 Enforcement (OSM) is dependent on automated information\n                                 systems to support its mission and to provide reliable data\n                                 for its annual financial statements. The Division of\n                                 Information Systems Management is responsible for\n                                 facilitating controls and efficient and effective use of\n                                 information technologies and information resources to\n                                 support the OSM mission.\n\nOBJECTIVE                        The objective of the audit was to determine whether the\n                                 actions taken by the OSM satisfactorily implemented the 38\n                                 recommendations in our prior audit report titled \xe2\x80\x9cGeneral\n                                 and Application Controls Over Automated Information\n                                 Systems, Office of Surface Mining Reclamation and\n                                 Enforcement,\xe2\x80\x9d (No. 00-I-138) and whether any new\n                                 recommendations were warranted.\n\nRESULTS IN BRIEF                 We concluded that the OSM had made substantial progress\n                                 in correcting the weaknesses identified in our prior audit\n                                 report and in improving general controls over the OSM\xe2\x80\x99s\n                                 automated information systems. Based on actions taken\n                                 previously and as a result of our current audit, we\n                                 considered 37 of the 38 recommendations resolved and\n                                 implemented.\n\n                                 We made four new recommendations to the OSM that\nRECOMMENDATIONS\n                                 should correct the weaknesses identified in our current\n                                 report.\n\n                                 The OSM concurred with the report\xe2\x80\x99s four\nAUDITEE COMMENTS\nAND OFFICE OF                    recommendations and agreed to take the recommended\nINSPECTOR GENERAL                corrective actions.\nCOMMENTS\n\x0c                                                                         A-IN-OSM-001-00-M\n\n\n\n                       United States Department of the Interior\n                                  Office of Inspector General\n                                  National Information Systems Office\n                                    134 Union Boulevard, Suite 510\n                                        Lakewood, Colorado 80228\n\n\n\n                                                                         September 21, 2001\n\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:      Director, Office of Surface Mining Reclamation and Enforcement\n\nFrom:    Diann Sandy\n         Director, National Information Systems Office\n\nSubject: Improvements in General Controls Over Automated Information Systems, Office of\n         Surface Mining Reclamation and Enforcement (No. 01-I-415)\n\nWe reviewed the actions taken by the Office of Surface Mining Reclamation and\nEnforcement (OSM) to determine whether the OSM satisfactorily implemented the 38\nrecommendations in our December 1999 audit report titled \xe2\x80\x9cGeneral and Application\nControls Over Automated Information Systems, Office of Surface Mining Reclamation and\nEnforcement\xe2\x80\x9d (No 00-I-138) to improve general controls over the OSM\xe2\x80\x99s automated\ninformation systems. We also determined whether any new recommendations were\nwarranted. In addition, we performed this audit to support the Office of Inspector General\xe2\x80\x99s\nopinion on the OSM\xe2\x80\x99s financial statements by evaluating the reliability of the general\ncontrols over automated systems that support the annual financial statements.\n\n\n                                        RESULTS OF AUDIT\n                          We concluded that the OSM had made substantial progress in\n   The OSM                improving general controls over its automated information systems\n   Improved               by implementing 37 of the 38 recommendations contained in our\n   General                prior audit report. We found that before the start of our current\n   Controls Over          audit, the OSM implemented 29 of the 38 recommendations from\n                          our prior audit. Based on our current audit, the OSM implemented\n   Its Automated\n                          an additional 8 recommendations. The one prior audit\n   Systems                recommendation awaiting implementation pertains to contingency\n                          plans. Our current audit made four new recommendations\n                          concerning the completion of corrective actions and the\n                          improvement of security management and access controls.\n\x0cThe OSM recently improved controls in the following areas.\n\nRisk Management\n\nIn our prior report we recommended that risk assessments be\nconducted (Recommendation A.2). The OSM prepared risk\nassessments of its five mission-critical information systems, and\nsenior management approved these assessments.\n\nReviewing Users\xe2\x80\x99 Access to Systems\n\nIn our prior report we recommended that the OSM develop and\nimplement procedures to periodically review users\xe2\x80\x99 levels of\naccess to systems to ensure that the access levels are current and\nappropriate (Recommendation E.3). The OSM Division of\nFinancial Management completed its review of access levels of all\nusers of its systems, and the OSM has implemented procedures to\nensure that periodic reviews of all users levels of access to all\nOSM systems would be performed.\n\nNotifying System Administrators of Changes in Users\xe2\x80\x99\nEmployment Status\n\nIn our prior report we recommended that the OSM develop and\nimplement procedures to promptly notify system administration\npersonnel of users\xe2\x80\x99 employment terminations or reassignments of\nduties (Recommendation E.4). The OSM developed procedures\nfor promptly notifying system administration personnel of system\nusers\xe2\x80\x99 employment terminations or reassignments.\n\nSeparation of Duties\n\nIn our prior report we recommended that policies and procedures\nbe implemented to ensure separation of duties between reviewing\nand controlling system logs and administering system access\ncontrols (Recommendations K.3 and M.1). In addition, we\nrecommended that application programmers should not be\nresponsible for moving changed software into the production\nenvironment and should not have access to update or change\nproduction data (Recommendation M.2). The OSM developed\npolicies and procedures for maintaining, controlling, and reviewing\nsystem logs and ensured that personnel who were responsible for\nmaintaining the logs did not review or control the logs or\nadminister access to the systems. In addition, the OSM\nimplemented procedures, which it believes alleviates the separation\nof duty risks, for moving changed software to the production\nenvironment. Further, in the OSM\xe2\x80\x99s next risk analysis, the OSM\n\n                                 2\n\x0c                  will address the risk associated with the separation of duties in\n                  moving changed software into production and ensure that OSM\n                  management officials accept any residual risk.\n\n                  Software Development and Change Management Controls\n\n                  In our prior report we recommended that the OSM\xe2\x80\x99s policies and\n                  procedures for software development and change management be\n                  enforced (Recommendation N.1). The OSM developed policies to\n                  ensure that all application software changes are properly\n                  authorized, tested, and approved prior to being moved into\n                  production and that access to software programs is controlled. In\n                  addition, the OSM established an Independent Security Officers\n                  Review Team to perform periodic reviews of software\n                  development and change management to ensure that OSM policies\n                  are followed.\n\n                  We found that further improvements are needed in the following\nFurther           areas.\nImprovement in\nSystem Security   Finalize and Test System Contingency Plan\nManagement and\nAccess Controls   In our prior report we recommended that contingency plans\n                  intended for telecommunications links, facilities, and the data\nAre Needed        center be finalized and tested and that test results be used to update\n                  these plans. Additionally, we recommended that assurance should\n                  be provided that personnel are trained to implement the plans\n                  (Recommendation O.2). The OSM had not finalized the systems\n                  contingency plan and had not tested the continuity of operations\n                  plan for the OSM headquarters operations. The OSM officials said\n                  that the planning for service continuity was ongoing but the plan\n                  had not been completed, approved, and finalized. Until the\n                  headquarters contingency planning is completed and tested, the\n                  OSM remained vulnerable to loss of systems operations caused by\n                  a loss of computing capability due to an unexpected event.\n\n                  Reevaluate Position Sensitivity Classifications\n\n                  Although the OSM implemented personnel security policies and\n                  procedures, we found that position sensitivity classifications were\n                  not always based on the duties and risks of the positions. For\n                  example, system administrator positions that had full access and\n                  control over systems were not designated as critical public trust\n                  positions. Without adequate classification of positions warranting\n                  critical public trust and the commensurate security clearances, the\n                  risk was increased that the OSM systems could be compromised or\n                  impaired. The OSM needs to reevaluate its positions for\n\n                                                    3\n\x0c                  performing information systems duties to determine the inherent\n                  security risks and sensitivity of these positions and properly\n                  classify the positions of high risk.\n\n                  New User Access\n\n                  The OSM policy requires granting access to new users of systems\n                  to be documented and approved by system security managers or\n                  system owners. We found, however, that access was granted to the\n                  Applicant Violator System (AVS), which is a major application,\n                  based on verbal requests via telephone communication. Granting\n                  access to the AVS by verbal request does not ensure that the\n                  request is authentic and that responsible managers or supervisors\n                  have authorized the new user access request. Using this type of\n                  authorizing procedure subjects the AVS to the risk of unauthorized\n                  use and uncontrolled acts. The OSM needs to ensure that new user\n                  access to the AVS is granted in accordance with established OSM\n                  access control procedures.\n\n                  Remote Access\n\n                  The OSM had established remote access connectivity to some of\n                  its information systems via dialup to a modem pool; however, all\n                  available security practices to control unauthorized dialup access\n                  were not implemented. For example, we found that the telephone\n                  numbers for the remote-access modem pool were not periodically\n                  changed and that a call-back feature to specifically authorized\n                  remote-user telephone numbers was not implemented.\n                  Additionally, the OSM had not established other available security\n                  measures for remote-access users (via modem and the Internet\n                  from home computers) such as requiring specific virus protection\n                  on the remote computers. The OSM management needs to\n                  strengthen remote access controls and safeguards to protect the\n                  OSM systems from unauthorized intrusion, virus threats, and cyber\n                  attacks.\n\n                  We recommend that the Director, OSM:\nRecommendations\n                      1. Fully implement our prior report Recommendations A.2, C.1,\n                  E.3, E.4, K.3, M.1, M.2, N.1, and O.2; or institute other alternative or\n                  compensating controls adequate to correct the weaknesses; or if certain\n                  weaknesses are an acceptable risk, document the risk acceptance in a\n                  formal (management approved) risk assessment.\n\n\n\n\n                                                   4\n\x0c                 2. Reevaluate the appropriateness of designated sensitive or high\n             risk positions and the respective duties and obtain the necessary security\n             clearances for personnel filling these sensitive or critical public trust\n             positions.\n\n                 3. Ensure that the OSM\xe2\x80\x99s established policies and procedures are\n             followed when granting new users\xe2\x80\x99 access to the Applicant Violator\n             System.\n\n                 4. Establish remote-access control procedures and remote user-set\n             parameters and strengthen the existing practices by providing added\n             control features and required settings or document the acceptance of\n             risk in a formal (management approved) risk assessment.\n\n             Based on the May 30, 2001 (Appendix 2) and July 3, 2001 (Appendix\n OSM         3) responses, we consider Recommendation 1 resolved but not\n Response    implemented and have requested additional information for\n             Recommendations 2, 3, and 4. The OSM agreed with the\n and OIG\n             recommendations, but needs to provide target dates for implementation\n Reply       of actions planned and titles of officials responsible for implementation.\n             The May 30, 2001 response to Recommendation 1 stated that the only\n             remaining corrective actions regarding our prior report\xe2\x80\x99s\n             recommendations would be to complete Recommendation O.2 during\n             June and August 2001. Additionally, the OSM provided the latest draft\n             version of the Continuity of Operations Plan (Management Plan, Test\n             Plan, and Schedule) for its headquarters systems operations. As stated\n             in the Results of Audit section, the OSM draft plan still needs to be\n             finalized and tested.\n\n             The mission of the OSM is to implement the provisions of the\nBackground   Surface Mining Control and Reclamation Act and to ensure that\n             society and the environment are protected from the adverse effects\n             of surface and subsurface coal mining operations. The OSM\n             activities include issuing mining permits, inspecting mining\n             operations, enforcing mining standards, ensuring the effectiveness\n             of authorized state and tribal regulatory programs, and promoting\n             reclamation of surface mine lands.\n\n             The OSM is dependent on automated information systems to\n             support its mission and provide reliable data for its financial\n             statements. The Division of Information Systems Management is\n             responsible for facilitating the systems controls and efficient and\n             effective use of information technologies to support the OSM\n             mission. Various OSM organizations, including the Division of\n             Information Systems Management, the Division of Financial\n             Management, assistant directorates, and regional and field offices\n             share responsibilities over the OSM systems. Nationwide,\n             automated data processing support is provided through local area\n                                               5\n\x0c              network-based servers and microcomputer workstations, and the\n              networks are interconnected by the OSM-wide area network.\n\n              Our audit was conducted at the OSM\xe2\x80\x99s headquarters in\nScope and     Washington, D.C., and its data center in Denver, Colorado. Our\nMethodology   audit was performed in accordance with the \xe2\x80\x9cGovernment Auditing\n              Standards,\xe2\x80\x9d issued by the Comptroller General of the United\n              States. Accordingly, we included such tests of the records and\n              other auditing procedures that were considered necessary under the\n              circumstances. Additionally we used the review methodologies\n              contained in the U.S. General Accounting Office\xe2\x80\x99s \xe2\x80\x9cFederal\n              Information System Controls Audit Manual.\xe2\x80\x9d As part of our\n              review we evaluated only the internal controls related to the\n              general control environment over the OSM\xe2\x80\x99s automated\n              information systems.\n\n              Section 5(a) of the Inspector General Act (5 U.S.C. app. 3) requires the\n              Office of Inspector General to list this report in its semiannual report to\n              the Congress. In addition, the Office of Inspector General provides\n              audit reports to the Congress.\n\n              This report is intended for the information of management of the\n              Department of the Interior, the Office of Management and Budget,\n              and the Congress. However, this report is a matter of public\n              record, and its distribution is not limited.\n\n\n\n\n                                                6\n\x0c                                                                               APPENDIX 1\n\n\n\n   SUMMARY OF RECOMMENDATIONS AND CORRECTIVE ACTIONS\n            FOR THE DECEMBER 1999 AUDIT REPORT\n    \xe2\x80\x9cGENERAL AND APPLICATION CONTROLS OVER AUTOMATED\n       INFORMATION SYSTEMS, OFFICE OF SURFACE MINING\n         RECLAMATION AND ENFORCEMENT\xe2\x80\x9d (No. 00-I-138)\n\n                                                                Status of Recommendations\nRecommendations\n                                                                and Corrective Actions\nA.1. Determine the risks associated with each of the            Implemented.\nsystems and, based on the results of the risk assessments,\nestablish appropriate security policies and procedures.\nA.2. Ensure that risk assessments are conducted in              Implemented.\naccordance with Federal guidelines which recommend that\nrisk assessments support the acceptance of risk and the\nselection of appropriate controls. Specifically, the risk\nassessments should address significant risks affecting\nsensitive systems and major applications, appropriately\nidentify controls implemented to mitigate those risks, and\nformalize the acceptance of residual risk.\nA.3. Formally assign and communicate responsibility to          Implemented.\nthose individuals required to participate in assessing risks.\nB.1. Provide resources to ensure that automated                 Implemented.\ninformation systems security plans are developed for the\nOSM\xe2\x80\x99s general support systems and major applications in\naccordance with the Computer Security Act; Office of\nManagement and Budget Circular A-130, Appendix III; and\nthe National Institute of Standards and Technology\xe2\x80\x99s\nSpecial Publication 800-18.\nB.2. Ensure that the automated information systems              Implemented.\nsecurity function is elevated organizationally to report\ndirectly to the OSM\xe2\x80\x99s Chief Information officer and\nformally provide the position with the authority to\nimplement and enforce a computer security program\nthroughout the OSM.\nB.3. Report the lack of security plans for the OSM\xe2\x80\x99s            Implemented.\nsensitive systems as a material weakness in the OSM\xe2\x80\x99s\nannual assurance statement on management controls for\nfiscal year 1999.\nC.1. Ensure that personnel security policies and procedures     Implemented.\nare developed, implemented, and enforced, including those\nfor obtaining appropriate security clearances for personnel\nfilling sensitive or critical public trust positions.\nC.2. Ensure that all automated data processing contractor       Implemented.\nemployees have proper background clearances.\n\n\n                                             7\n\x0c                                                                               APPENDIX 1\n\n\n                                                                Status of Recommendations\nRecommendations\n                                                                and Corrective Actions\nC.3. Ensure that periodic reinvestigations are completed        Implemented.\nevery 5 years on personnel who are in public trust high risk\npositions.\nD.1. Develop and implement policies to classify the OSM\xe2\x80\x99s       Implemented.\ncomputer resources in accordance with the results of\nperiodic risk assessments and guidance contained in Office\nof Management and Budget Circular A-130, Appendix III.\nE.1. Institute a policy of \xe2\x80\x9cleast privilege\xe2\x80\x9d access levels to   Implemented.\nensure that access to resources and data is limited to those\nusers who require such access.\nE.2. Develop and implement policies and procedures for          Implemented.\napproving access to the automated information systems that\ninclude the formal assignment of responsibility for\napproving systems access.\nE.3. Develop and implement procedures to ensure that user       Implemented.\naccess levels are periodically reviewed to ensure that the\ncurrent access provided is appropriate.\nE.4. Develop and implement procedures to ensure that            Implemented.\nsystem administration personnel are promptly notified of\nchanges in employee assignments or employment\nterminations.\nE.5. Implement controls to ensure that system owners            Implemented.\napprove all access to their applications in accordance with\nthe OSM\xe2\x80\x99s policy.\nF.1. Develop and implement policies and procedures              Implemented.\nestablishing the maximum number of log-in attempts\nallowed for the OSM\xe2\x80\x99s automated information systems in\ncompliance with Department of the Interior regulations.\nF.2. Ensure that the systems log-in warning message is the      Implemented.\nfirst screen displayed upon initial access and prior to the\nuser being authenticated as a valid system user.\nG.1. Develop and implement password policies and                Implemented.\nprocedures. In addition, controls to ensure compliance with\nthese policies and procedures should be implemented.\nG.2. Implement a policy requiring system administration         Implemented.\npersonnel to log on to the automated information systems\nunder specific user IDs.\nG.3. Evaluate current capabilities and implement                Implemented.\nprocedures to address encryption or other security methods\nto help prevent powerful system passwords and accounts\nfrom being compromised when traveling across a network,\nsuch as the wide area network and the Internet.\n\n\n\n\n                                             8\n\x0c                                                                               APPENDIX 1\n\n\n                                                                Status of Recommendations\nRecommendations\n                                                                and Corrective Actions\nH.1. Develop policies and procedures to ensure that             Implemented.\ncontrols are in place to protect the Novell network operating\nsystem and other system software from unauthorized\nmodification or manipulation.\nI.1. Identify and implement the technical controls necessary    Implemented.\nto ensure that only authorized users have access to the\nNovell file servers. The controls should include using the\n\xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command in the autoexec.ncf file,\nencrypting the \xe2\x80\x9cRCONSOLE\xe2\x80\x9d password, and using the\n\xe2\x80\x9cLOCK CONSOLE\xe2\x80\x9d command.\nJ.1. Install a firewall system for the Division of Financial    Implemented.\nManagement\xe2\x80\x99s local area network.\nK.1. Evaluate acquiring systems verification and auditing       Implemented.\nsoftware.\nK.2. Implement the systems options available in each of the     Implemented.\noperating systems to record activities affecting the systems.\nK.3. Implement policies and procedures to ensure that           Implemented.\nsystems logs are used and are maintained for an appropriate\namount of time to provide an adequate audit trail of systems\nactivities and are controlled by personnel independent of the\nsystems access control administration function.\nK.4. Develop and implement procedures to ensure that            Implemented.\nperiodic reviews of systems logs for unauthorized or\ninappropriate activities are performed and that unauthorized\nor inappropriate activities are reported to the OSM\nmanagement.\nL.1. Establish policy and procedures for ensuring that          Implemented.\navailable software updates and service packs are reviewed\nto identify those that should be implemented to address an\napplicable systems vulnerability.\nL.2. Implement procedures to ensure that those updates          Implemented.\nwhich are determined to be needed are implemented in a\ntimely manner.\nM.1. Implement procedures to ensure that personnel who          Implemented.\nperform access control administration are not the same\nindividuals who review and control systems security logs\nand systems audit trails.\nM.2. Implement controls to ensure that application              Implemented.\nprogrammers are not responsible for moving changed\nsoftware into the production environment and do not have\naccess to update/change production data.\n\n\n\n\n                                             9\n\x0c                                                                                  APPENDIX 1\n\n\n                                                                  Status of Recommendations\nRecommendations\n                                                                  and Corrective Actions\nN.1. Enforce OSM\xe2\x80\x99s written policies and procedures to             Implemented.\nensure that all application programs and modifications are\nproperly authorized, tested, and approved and that access to\nand distribution of programs is controlled.\nN.2. Establish the process of correcting applications             Implemented.\ndeficiencies as a high priority to reduce manual processes.\nN.3. Review change requests timely to ensure that user            Implemented.\nrequirements are supported in the applications.\nO.1. Ensure that a contingency plan is developed for critical     Implemented.\ntelecommunications links.\nO.2. Ensure that contingency plans for telecommunications         Partially implemented. The\nlinks, facilities, and the data center are finalized and tested   OSM had not completed and\nand that test results are used to update these plans.             finalized its contingency plans\nAdditionally, assurance should be provided that personnel         or fully tested the plan for its\nare trained to implement the plans.                               headquarters operations.\nO.3. Provide for a secure off-site storage facility that is at    Implemented.\nleast 1 mile from the computer facility.\nP.1. Develop and implement a formal incident response             Implemented.\nplan and team.\n\n\n\n\n                                              10\n\x0c                                                           APPENDIX 2\n\n\n\n\nNote: ALL ATTACHMENTS NOT INCLUDED BY OFFICE OF THE INSPECTOR GENERAL.\n\n\n\n\n                              11\n\x0c     APPENDIX 2\n\n\n\n\n12\n\x0c     APPENDIX 2\n\n\n\n\n13\n\x0c     APPENDIX 2\n\n\n\n\n14\n\x0c     APPENDIX 2\n\n\n\n\n15\n\x0c                                                                            APPENDIX 3\n\n\n            OFFICE OF SURFACE MINING\n      RESPONSE TO IG AUDIT RECOMMENDATIONS\n                    JULY 3, 2001\n\n        OSM reviewed the Draft Audit Report Number A-IN-OSM-001-00-M, and has\nconcurred with the IG conclusions that OSM has made substantial progress in correcting\nthe prior identified weaknesses. In our last response to this Draft Audit report we\nneglected to comment on items listed under Recommendations made to the Director,\nOSM. Our comments are as follows:\n\n       2. Reevaluate the appropriateness of designated sensitive or high risk\n          positions and the respective duties and obtain the necessary security\n          clearances for personnel filling these sensitive or critical public trust\n          positions.\n\nResponse: OSM concurs with the IG on this item and offers the following response:\n\n        OSM will reevaluate the appropriateness of designated sensitive or high risk\npositions and respective duties and obtain the necessary security clearances. The security\nclearance of the position with be commensurate with actual duties and access to\ninformation and systems.\n\n\n       3. Ensure that the OSM\xe2\x80\x99s established policies and procedures are followed\n          when granting new users\xe2\x80\x99 access to the Applicant Violator System.\n\nResponse: OSM concurs with the IG on this item and offers the following response:\n\n         OSM will ensure that established policies and procedures are followed when\ngranting new users\xe2\x80\x99 access to the Applicant Violator System. All new user access from\nwithin OSM or from the States and Tribes will have the appropriate documentation prior\nto the issuance of access.\n\n       4. Establish remote-access control procedures and remote user-set\n          parameters and strengthen the existing practices by providing added\n          control features and required settings or document the acceptable risk in\n          a formal (management approved) risk assessment.\n\nResponse: OSM concurs with the IG on this item and offers the following response:\n\n        OSM is currently reviewing our remote-access procedures and will implement\nprocedures to increase security. Remote-access guidelines for granting user access will\nbe reviewed to keep access to an as needed basis. Current accounts have been reviewed\nand inactive accounts deleted.\n\n\n\n                                          16\n\x0c                                                             APPENDIX 4\n\n\n\n     STATUS OF AUDIT REPORT RECOMMENDATIONS\n\n    Finding/\nRecommendation\n    Reference        Status                   Actions Required\n\n      1          Resolved; not     No further response to the Office of\n                 implemented.      Inspector General is required. The\n                                   recommendations will be forwarded to\n                                   the Assistant Secretary for Policy,\n                                   Management and Budget for tracking\n                                   of implementation.\n\n  2, 3, and 4    Management        Provide the Office of Inspector\n                 concurs;          General with target dates for actions\n                 additional        planned and titles of officials\n                 information       responsible for implementation.\n                 requested.\n\n\n\n\n                              17\n\x0c                       ILLEGAL OR WASTEFUL ACTIVITIES\n                      SHOULD BE REPORTED TO\n                 THE OFFICE OF INSPECTOR GENERAL\n\n\n                      Internet Complaint Form Address\n                  http://www.oig.doi.gov/hotline_form.html\n\n                     Within the Continental United States\nU.S. Department of the Interior           Our 24-hour\nOffice of Inspector General               Telephone HOTLINE\n1849 C Street, N.W.                       1-800-424-5081 or\nWashington, D.C. 20240-0001               (202) 208-5300\n\n                                          TDD for hearing impaired\n                                          (202) 208-2420\n\n\n                     Outside the Continental United States\n\nCaribbean Region\n\n   U.S. Department of the                 (703) 235-9221\n          Interior\nOffice of Inspector General\nEastern Division \xe2\x80\x93 Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22203\n\nPacific Region\n\nU.S. Department of the Interior           (671) 647-6060\nOffice of Inspector General\nGuam Field Pacific Office\n415 Chalan San Antonio\nBaltej Pavilion, Suite 306\nAgana, Guam 96911\n\n\n\n\n                                     18\n\x0c'